question for next Tomcat 6.0 release
Hi I am wondering if someone knows about release scheduled for next version : Tomcat v6.0.30 or any release schedule in next six month. I am currently running tomcat 6.0.26 [my development box with single instance configuration] and 6.0.28 on my test environment [two node cluster] and it is getting time to consider to upgrade to the latest. I do not think we will test tomcat 7 at this moment. Thanks, yasushi ### This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. ###
RE: Tomcat 5.5 and 6.0
Thanks Christine for feedback, I would like to chat about your input when I return to the office. Matthew told me that we will visit TCP to install ITUTils, SeepdR and Mach5 next January. So, I would like to work with you November to finish this feature. Thanks again, yasushi -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Thursday, October 28, 2010 9:22 AM To: Tomcat Users List Subject: RE: Tomcat 5.5 and 6.0 From: Alfio Vergine [mailto:averg...@eastnets.com] Subject: Tomcat 5.5 and 6.0 I would like to know when an application is compatible with 5.5 versions, it is also with 6.0? Highly likely. Or testing should be done? Always. There are any official statements about it? http://tomcat.apache.org/migration.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ### This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. ### - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: question for sso session replication in tomcat 6.0.26
-Original Message- From: Pid [mailto:p...@pidster.com] Sent: Friday, June 25, 2010 4:29 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 24/06/2010 21:49, Okubo, Yasushi (TSD) wrote: My bad. I added *.jsp to the filter since it contains the path to index page as follows. Now, I am wondering when sso session id is created and replicated, is it when index.jsp was accessed or login.jsp was accessed? You had added it and have now removed it? The normal session id is created when you access a JSP for the first time, unless you have specifically configured JSPs to not create a session. A session can also be created manually by a Filter or a Servlet. The SSO session is created when the container login process completes authentication successfully. I'm not entirely clear on when SSO replication occurs - presumably only when there's a change like session invalidation or creation. p Hi Pid I tested with the latest v6.0.28, and sso session identifier propagation has been fixed. https://issues.apache.org/bugzilla/show_bug.cgi?id=49445 Thanks, - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: question for sso session replication in tomcat 6.0.26
-Original Message- From: Pid [mailto:p...@pidster.com] Sent: Monday, June 28, 2010 4:01 PM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 28/06/2010 23:19, Okubo, Yasushi (TSD) wrote: On 28/06/2010 21:21, Okubo, Yasushi (TSD) wrote: Yes, I do. Manager className=org.apache.catalina.ha.session.DeltaManager name=webclust2 expireSessionsOnShutdown=false Hmm. Can you unset the DeltaManager name attribute on all of your instances? p Hi Pid I moved expireSessionOnShutdown, but the result was the same. I did not see any difference. I didn't ask you to move expireSessionsOnShutdown, I asked you not to set the name attribute. /** * Return the descriptive short name of this Manager implementation. */ public String getName() { return name; } It's the only thing I can see in your config that looks weird. I'm not really sure how it could affect things, but it might, so don't set it, please. By the way, when I shutdown the node1, it is getting action = 3 from SimpleTpcCluster, which means logout defined in singlesignonmessage.java. And clustersinglesignon is deregistering this session id from other nodes. It looks like clustersinglesignon can send a message to other nodes even if deltamanager.expireSessionsOnShutdown set to false. Why? I don't know. Certainly seems odd, I'll look into the expireSessionsOnShutdown attribute again tomorrow. p Hi Pid I removed name attribute from DeltaManager, but the result was the same. It looks like ClusteSingleSignOn is sending deregister message through SimpleTCPCluster when it received the message from GroupChannel. Action = 3 is logout. Jun 29, 2010 10:25:16 AM org.apache.catalina.tribes.group.GroupChannel send FINER: GroupChannel - Send Message:UniqueId{-47, 62, -63, -59, 37, 80, 72, -98, -85, -5, 102, -1, -95, 34, 82, 25} is SingleSignOnMessage[action=3, ssoId=D01FF1E66C0D50C4418216F9974FA667, sessionId=null, username=null] - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: question for sso session replication in tomcat 6.0.26
On 28/06/2010 23:19, Okubo, Yasushi (TSD) wrote: On 28/06/2010 21:21, Okubo, Yasushi (TSD) wrote: Yes, I do. Manager className=org.apache.catalina.ha.session.DeltaManager name=webclust2 expireSessionsOnShutdown=false Hmm. Can you unset the DeltaManager name attribute on all of your instances? p Hi Pid I moved expireSessionOnShutdown, but the result was the same. I did not see any difference. I didn't ask you to move expireSessionsOnShutdown, I asked you not to set the name attribute. /** * Return the descriptive short name of this Manager implementation. */ public String getName() { return name; } It's the only thing I can see in your config that looks weird. I'm not really sure how it could affect things, but it might, so don't set it, please. By the way, when I shutdown the node1, it is getting action = 3 from SimpleTpcCluster, which means logout defined in singlesignonmessage.java. And clustersinglesignon is deregistering this session id from other nodes. It looks like clustersinglesignon can send a message to other nodes even if deltamanager.expireSessionsOnShutdown set to false. Why? I don't know. Certainly seems odd, I'll look into the expireSessionsOnShutdown attribute again tomorrow. p Hi Pid I removed name attribute from DeltaManager, but the result was the same. It looks like ClusteSingleSignOn is sending deregister message through SimpleTCPCluster when it received the message from GroupChannel. Action = 3 is logout. Jun 29, 2010 10:25:16 AM org.apache.catalina.tribes.group.GroupChannel send FINER: GroupChannel - Send Message:UniqueId{-47, 62, -63, -59, 37, 80, 72, -98, -85, -5, 102, -1, -95, 34, 82, 25} is SingleSignOnMessage[action=3, ssoId=D01FF1E66C0D50C4418216F9974FA667, sessionId=null, username=null] It looks like DeltaManager stopped, so expireSessionsOnShutdown flag may not have any impact on this matter. After SingleSignOn.sessionEvent destroying the session value, and sso ssession, somehow this message was propagated to simpleTpcCluster and clusterSingleSignOn is deregisterting sso session by sending this message to simpleTpcCluster. Is there any way to stop it? Jun 28, 2010 3:05:53 PM org.apache.catalina.ha.session.DeltaManager stop FINE: Manager [/cluster] is stopping Jun 28, 2010 3:05:53 PM org.apache.catalina.ha.session.DeltaManager stop INFO: Manager [/cluster] expiring sessions upon shutdown Jun 28, 2010 3:05:53 PM org.apache.catalina.authenticator.SingleSignOn sessionEvent FINE: Process session destroyed on DeltaSession[EBEEECC91096DF7020488C1BDD75DF41.jvm2] Jun 28, 2010 3:05:53 PM org.apache.catalina.tribes.transport.nio.ParallelNioSender doLoop FINER: ParallelNioSender - Sent msg:UniqueId{-2, -89, -62, -53, 103, -39, 67, -1, -111, 52, -43, -84, -41, 66, 66, 31} at 2010-06-28 15:05:53.689 to tcp://{127, 0, 0, 1}:4010 Jun 28, 2010 3:05:53 PM org.apache.catalina.tribes.group.ChannelCoordinator sendMessage FINER: ChannelCoordinator - Sent msg:UniqueId{-2, -89, -62, -53, 103, -39, 67, -1, -111, 52, -43, -84, -41, 66, 66, 31} at 2010-06-28 15:05:53.69 to {tcp://{127, 0, 0, 1}:4010} Jun 28, 2010 3:05:53 PM org.apache.catalina.tribes.group.GroupChannel send FINER: GroupChannel - Sent msg:UniqueId{-2, -89, -62, -53, 103, -39, 67, -1, -111, 52, -43, -84, -41, 66, 66, 31} at 2010-06-28 15:05:53.69 to {tcp://{127, 0, 0, 1}:4010} Jun 28, 2010 3:05:53 PM org.apache.catalina.tribes.group.GroupChannel send FINER: GroupChannel - Send Message:UniqueId{-2, -89, -62, -53, 103, -39, 67, -1, -111, 52, -43, -84, -41, 66, 66, 31} is SingleSignOnMessage[action=3, ssoId=1C052A3927DC43EE6CAF27997F85C23B, sessionId=null, username=null] Jun 28, 2010 3:05:53 PM org.apache.catalina.ha.authenticator.ClusterSingleSignOn deregister FINE: SingleSignOnMessage Send with action 3 Jun 28, 2010 3:05:53 PM org.apache.catalina.authenticator.SingleSignOn deregister FINE: Deregistering sso id '1C052A3927DC43EE6CAF27997F85C23B' Jun 28, 2010 3:05:53 PM org.apache.catalina.authenticator.SingleSignOn deregister FINER: Invalidating session DeltaSession[EBEEECC91096DF7020488C1BDD75DF41.jvm2] Jun 28, 2010 3:05:53 PM org.apache.catalina.connector.MapperListener handleNotification FINE: Handle Catalina:type=Manager,path=/cluster,host=webclust2 type : JMX.mbean.unregistered Jun 28, 2010 3:05:53 PM org.apache.catalina.connector.MapperListener handleNotification FINE: Handle Catalina:type=Manager,path=/cluster,host=webclust2 type : JMX.mbean.unregistered Jun 28, 2010 3:05:53 PM org.apache.catalina.core.StandardContext listenerStop FINE: Sending application stop events - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: question for sso session replication in tomcat 6.0.26
Hi Pid I think I found a problem. Could you tell me how to fix this? Should I report it to bugzilla? SingleSignOn sessionEvent is destroying session, but DeltaSession is notifying session expiration to other node on same cluster. == singlesignon == protected void deregister(String ssoId) { if (containerLog.isDebugEnabled()) containerLog.debug(Deregistering sso id ' + ssoId + '); // Look up and remove the corresponding SingleSignOnEntry SingleSignOnEntry sso = null; synchronized (cache) { sso = (SingleSignOnEntry) cache.remove(ssoId); } if (sso == null) return; // Expire any associated sessions Session sessions[] = sso.findSessions(); for (int i = 0; i sessions.length; i++) { if (containerLog.isTraceEnabled()) containerLog.trace( Invalidating session + sessions[i]); // Remove from reverse cache first to avoid recursion synchronized (reverse) { reverse.remove(sessions[i]); } // Invalidate this session sessions[i].expire(); -- this is calling deltasession.expire(true), then dltasession.expire(notify, true) } // NOTE: Clients may still possess the old single sign on cookie, // but it will be removed on the next request since it is no longer // in the cache } == deltasesion == public void expire(boolean notify) { expire(notify, true); } public void expire(boolean notify, boolean notifyCluster) { if (expiring) return; String expiredId = getIdInternal(); if(expiredId != null manager != null manager instanceof DeltaManager) { DeltaManager dmanager = (DeltaManager)manager; CatalinaCluster cluster = dmanager.getCluster(); ClusterMessage msg = dmanager.requestCompleted(expiredId, true); if (msg != null) { if(dmanager.doDomainReplication()) { cluster.sendClusterDomain(msg); } else { cluster.send(msg); } } } super.expire(notify); if (notifyCluster) { if (log.isDebugEnabled()) log.debug(sm.getString(deltaSession.notifying, ((ClusterManager)manager).getName(), new Boolean(isPrimarySession()), expiredId)); if ( manager instanceof DeltaManager ) { ( (DeltaManager) manager).sessionExpired(expiredId); } } } Jun 28, 2010 3:05:53 PM org.apache.catalina.ha.session.DeltaManager stop INFO: Manager [/cluster] expiring sessions upon shutdown Jun 28, 2010 3:05:53 PM org.apache.catalina.authenticator.SingleSignOn sessionEvent FINE: Process session destroyed on DeltaSession[EBEEECC91096DF7020488C1BDD75DF41.jvm2] Jun 28, 2010 3:05:53 PM org.apache.catalina.tribes.transport.nio.ParallelNioSender doLoop FINER: ParallelNioSender - Sent msg:UniqueId{-2, -89, -62, -53, 103, -39, 67, -1, -111, 52, -43, -84, -41, 66, 66, 31} at 2010-06-28 15:05:53.689 to tcp://{127, 0, 0, 1}:4010 Jun 28, 2010 3:05:53 PM org.apache.catalina.tribes.group.ChannelCoordinator sendMessage FINER: ChannelCoordinator - Sent msg:UniqueId{-2, -89, -62, -53, 103, -39, 67, -1, -111, 52, -43, -84, -41, 66, 66, 31} at 2010-06-28 15:05:53.69 to {tcp://{127, 0, 0, 1}:4010} Jun 28, 2010 3:05:53 PM org.apache.catalina.tribes.group.GroupChannel send FINER: GroupChannel - Sent msg:UniqueId{-2, -89, -62, -53, 103, -39, 67, -1, -111, 52, -43, -84, -41, 66, 66, 31} at 2010-06-28 15:05:53.69 to {tcp://{127, 0, 0, 1}:4010} Jun 28, 2010 3:05:53 PM org.apache.catalina.tribes.group.GroupChannel send FINER: GroupChannel - Send Message:UniqueId{-2, -89, -62, -53, 103, -39, 67, -1, -111, 52, -43, -84, -41, 66, 66, 31} is SingleSignOnMessage[action=3, ssoId=1C052A3927DC43EE6CAF27997F85C23B, sessionId=null, username=null] Jun 28, 2010 3:05:53 PM org.apache.catalina.ha.authenticator.ClusterSingleSignOn deregister FINE: SingleSignOnMessage Send with action 3 Jun 28, 2010 3:05:53 PM org.apache.catalina.authenticator.SingleSignOn deregister FINE: Deregistering sso id '1C052A3927DC43EE6CAF27997F85C23B' - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
question : how to get debug log
Hi expert I would like get the further detail log defined in the source in such a way that a) containerLog.debug() or log.isDebugEnabled(). I tried to change log level defined in conf/logging.properties, but I am not getting what I want. For example, if I want to print debug message from singlesignon class in Catalina.out, could someone tell me what to do? Thanks,
RE: question for sso session replication in tomcat 6.0.26
sendMessage FINER: ChannelCoordinator - Sent msg:UniqueId{48, -7, -97, -123, -116, -54, 78, -17, -115, -13, -34, 116, 39, 49, 95, 17} at 2010-06-28 10:27:40.786 to {tcp://{127, 0, 0, 1}:4010, tcp://{127, 0, 0, 1}:4020} Jun 28, 2010 10:27:40 AM org.apache.catalina.tribes.group.GroupChannel send FINER: GroupChannel - Sent msg:UniqueId{48, -7, -97, -123, -116, -54, 78, -17, -115, -13, -34, 116, 39, 49, 95, 17} at 2010-06-28 10:27:40.787 to {tcp://{127, 0, 0, 1}:4010, tcp://{127, 0, 0, 1}:4020} Jun 28, 2010 10:27:40 AM org.apache.catalina.tribes.group.GroupChannel send FINER: GroupChannel - Send Message:UniqueId{48, -7, -97, -123, -116, -54, 78, -17, -115, -13, -34, 116, 39, 49, 95, 17} is SingleSignOnMessage[action=3, ssoId=7BA0AB7AE2BFDB08CE2EBE8F42D3E89C, sessionId=null, username=null] Jun 28, 2010 10:27:40 AM org.apache.catalina.ha.authenticator.ClusterSingleSignOn deregister FINE: SingleSignOnMessage Send with action 3 Jun 28, 2010 10:27:40 AM org.apache.catalina.authenticator.SingleSignOn deregister FINE: Deregistering sso id '7BA0AB7AE2BFDB08CE2EBE8F42D3E89C' Jun 28, 2010 10:27:40 AM org.apache.catalina.connector.MapperListener handleNotification FINE: Handle Catalina:type=Manager,path=/cluster,host=webclust2 type : JMX.mbean.unregistered Jun 28, 2010 10:27:40 AM org.apache.catalina.connector.MapperListener handleNotification FINE: Handle Catalina:type=Manager,path=/cluster,host=webclust2 type : JMX.mbean.unregistered Jun 28, 2010 10:27:40 AM org.apache.catalina.core.StandardContext listenerStop FINE: Sending application stop events /** * Notifies the cluster that a single sign on session * has been terminated due to a user logout, deregister * the specified single sign on identifier, and invalidate * any associated sessions on the local node. * * @param ssoId Single sign on identifier to deregister */ protected void deregister(String ssoId) { if (cluster != null) { messageNumber++; SingleSignOnMessage msg = new SingleSignOnMessage(cluster.getLocalMember(), ssoId, null); msg.setAction(SingleSignOnMessage.LOGOUT_SESSION); cluster.sendClusterDomain(msg); if (containerLog.isDebugEnabled()) containerLog.debug(SingleSignOnMessage Send with action + msg.getAction()); } deregisterLocal(ssoId); } protected void deregisterLocal(String ssoId) { super.deregister(ssoId); } -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Friday, June 25, 2010 4:29 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 24/06/2010 21:49, Okubo, Yasushi (TSD) wrote: My bad. I added *.jsp to the filter since it contains the path to index page as follows. Now, I am wondering when sso session id is created and replicated, is it when index.jsp was accessed or login.jsp was accessed? You had added it and have now removed it? The normal session id is created when you access a JSP for the first time, unless you have specifically configured JSPs to not create a session. A session can also be created manually by a Filter or a Servlet. The SSO session is created when the container login process completes authentication successfully. I'm not entirely clear on when SSO replication occurs - presumably only when there's a change like session invalidation or creation. p == index.jsp == % response.sendRedirect(/test/index.html?homepage=dynprop=Home); % -Original Message- From: Okubo, Yasushi (TSD) Sent: Thursday, June 24, 2010 1:13 PM To: 'Tomcat Users List' Subject: RE: question for sso session replication in tomcat 6.0.26 Hi Pid I started getting the following error upon login to one node onto cluster. Could you tell me what this mean is? Yasushi Jun 24, 2010 10:51:58 AM org.apache.catalina.ha.tcp.ReplicationValve sendReplicationMessage SEVERE: Unable to perform replication request. java.lang.NullPointerException at org.apache.catalina.ha.tcp.ReplicationValve.isRequestWithoutSessionChang e(ReplicationValve.java:590) at org.apache.catalina.ha.tcp.ReplicationValve.sendSessionReplicationMessag e(ReplicationValve.java:516) at org.apache.catalina.ha.tcp.ReplicationValve.sendReplicationMessage(Repli cationValve.java:430) at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java :363) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555 ) at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java: 421) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:109) at org.apache.catalina.connector.CoyoteAdapter.service
RE: question for sso session replication in tomcat 6.0.26
Yes, I do. Manager className=org.apache.catalina.ha.session.DeltaManager name=webclust2 expireSessionsOnShutdown=false -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Monday, June 28, 2010 1:09 PM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 28/06/2010 19:58, Okubo, Yasushi (TSD) wrote: Hi Pid I got more detailed log and it looks like clustersinglesignon is deregistering sso session on other nodes. 0. session destroyed C0641336BF4E6B4654927AA3337EAB9F.jvm1 by shutdown [on node1] 1. clustersinglesignon is calling singlesignon to invalidate session [ssoId=7BA0AB7AE2BFDB08CE2EBE8F42D3E89C] for node1 2, but it looks like this message came back to the node1 (through group channel/mulitcast?) 3. then clustersinglesignon is deregistering this session again for ssoId=7BA0AB7AE2BFDB08CE2EBE8F42D3E89C. deregister method propagates this message to other nodes to deregister ssoId=7BA0AB7AE2BFDB08CE2EBE8F42D3E89C from all members in the same cluster. Is there any way to break this chain of actions to stop clustersinglesigon invoking deregister method? Do you have ClusterManager.expireSessionsOnShutdown set to false? p Jun 28, 2010 10:27:40 AM org.apache.catalina.ha.session.DeltaManager stop FINE: Manager [/cluster] is stopping Jun 28, 2010 10:27:40 AM org.apache.catalina.ha.session.DeltaManager stop INFO: Manager [/cluster] expiring sessions upon shutdown FINE: Process session destroyed on DeltaSession[C0641336BF4E6B4654927AA3337EAB9F.jvm1] Jun 28, 2010 10:27:40 AM org.apache.catalina.tribes.transport.nio.NioReplicationTask serviceChannel FINER: About to service key:sun.nio.ch.selectionkeyi...@1bd7b222 Jun 28, 2010 10:27:40 AM org.apache.catalina.tribes.transport.nio.NioReplicationTask run FINER: Servicing key:sun.nio.ch.selectionkeyi...@1bd7b222 Jun 28, 2010 10:27:40 AM org.apache.catalina.tribes.transport.nio.NioReplicationTask run FINER: Draining channel:sun.nio.ch.selectionkeyi...@1bd7b222 Jun 28, 2010 10:27:40 AM org.apache.catalina.tribes.transport.nio.NioReplicationTask registerForRead FINER: Adding key for read event:sun.nio.ch.selectionkeyi...@1bd7b222 Jun 28, 2010 10:27:40 AM org.apache.catalina.tribes.transport.nio.NioReceiver addEvent FINER: Adding event to selector:org.apache.catalina.tribes.transport.nio.nioreplicationtas...@5 637dde9 Jun 28, 2010 10:27:40 AM org.apache.catalina.tribes.transport.nio.NioReplicationTask drainChannel FINER: NioReplicationThread - Received msg:UniqueId{48, -7, -97, -123, -116, -54, 78, -17, -115, -13, -34, 116, 39, 49, 95, 17} at 2010-06-28 10:27:40.78 Jun 28, 2010 10:27:40 AM org.apache.catalina.tribes.transport.nio.NioReceiver events FINER: Processing event in selector:org.apache.catalina.tribes.transport.nio.nioreplicationtas...@5 637dde9 Jun 28, 2010 10:27:40 AM org.apache.catalina.tribes.group.ChannelCoordinator messageReceived FINER: ChannelCoordinator - Received msg:UniqueId{48, -7, -97, -123, -116, -54, 78, -17, -115, -13, -34, 116, 39, 49, 95, 17} at 2010-06-28 10:27:40.78 from tcp://{127, 0, 0, 1}:4010 Jun 28, 2010 10:27:40 AM org.apache.catalina.tribes.transport.nio.NioReplicationTask$1 run FINER: Registering key for read:sun.nio.ch.selectionkeyi...@1bd7b222 Jun 28, 2010 10:27:40 AM org.apache.catalina.tribes.group.GroupChannel messageReceived FINER: GroupChannel - Received msg:UniqueId{48, -7, -97, -123, -116, -54, 78, -17, -115, -13, -34, 116, 39, 49, 95, 17} at 2010-06-28 10:27:40.78 from tcp://{127, 0, 0, 1}:4010 Jun 28, 2010 10:27:40 AM org.apache.catalina.tribes.group.GroupChannel messageReceived FINER: GroupChannel - Receive Message:UniqueId{48, -7, -97, -123, -116, -54, 78, -17, -115, -13, -34, 116, 39, 49, 95, 17} is SingleSignOnMessage[action=3, ssoId=7BA0AB7AE2BFDB08CE2EBE8F42D3E89C, sessionId=null, username=null] Jun 28, 2010 10:27:40 AM org.apache.catalina.ha.tcp.SimpleTcpCluster messageReceived FINE: Assuming clocks are synched: Replication for 7BA0AB7AE2BFDB08CE2EBE8F42D3E89C#-#1277746060782 took=1277746060782 ms. Jun 28, 2010 10:27:40 AM org.apache.catalina.ha.authenticator.ClusterSingleSignOnListener messageReceived FINE: SingleSignOnMessage Received with action 3 Jun 28, 2010 10:27:40 AM org.apache.catalina.authenticator.SingleSignOn deregister FINE: Deregistering sso id '7BA0AB7AE2BFDB08CE2EBE8F42D3E89C' Jun 28, 2010 10:27:40 AM org.apache.catalina.authenticator.SingleSignOn deregister FINER: Invalidating session DeltaSession[C0641336BF4E6B4654927AA3337EAB9F.jvm1] 2010 10:27:40 AM org.apache.catalina.tribes.group.GroupChannel messageReceived FINER: GroupChannel delivered[true] id:UniqueId{48, -7, -97, -123, -116, -54, 78, -17, -115, -13, -34, 116, 39, 49, 95, 17} Jun 28, 2010 10:27:40 AM org.apache.catalina.tribes.transport.nio.NioReplicationTask sendAck FINER: ACK sent to 55801 Jun 28, 2010 10:27:40 AM
RE: question for sso session replication in tomcat 6.0.26
On 28/06/2010 21:21, Okubo, Yasushi (TSD) wrote: Yes, I do. Manager className=org.apache.catalina.ha.session.DeltaManager name=webclust2 expireSessionsOnShutdown=false Hmm. Can you unset the DeltaManager name attribute on all of your instances? p Hi Pid I moved expireSessionOnShutdown, but the result was the same. I did not see any difference. By the way, when I shutdown the node1, it is getting action = 3 from SimpleTpcCluster, which means logout defined in singlesignonmessage.java. And clustersinglesignon is deregistering this session id from other nodes. It looks like clustersinglesignon can send a message to other nodes even if deltamanager.expireSessionsOnShutdown set to false. Why? Then, how can Tomcat differentiate event between shutdown and logout? == Catalina.out == Jun 28, 2010 3:05:53 PM org.apache.catalina.ha.session.DeltaManager stop FINE: Manager [/cluster] is stopping Jun 28, 2010 3:05:53 PM org.apache.catalina.ha.session.DeltaManager stop INFO: Manager [/cluster] expiring sessions upon shutdown Jun 28, 2010 3:05:53 PM org.apache.catalina.authenticator.SingleSignOn sessionEvent FINE: Process session destroyed on DeltaSession[EBEEECC91096DF7020488C1BDD75DF41.jvm2] Jun 28, 2010 3:05:53 PM org.apache.catalina.tribes.transport.nio.ParallelNioSender doLoop FINER: ParallelNioSender - Sent msg:UniqueId{-2, -89, -62, -53, 103, -39, 67, -1, -111, 52, -43, -84, -41, 66, 66, 31} at 2010-06-28 15:05:53.689 to tcp://{127, 0, 0, 1}:4010 Jun 28, 2010 3:05:53 PM org.apache.catalina.tribes.group.ChannelCoordinator sendMessage FINER: ChannelCoordinator - Sent msg:UniqueId{-2, -89, -62, -53, 103, -39, 67, -1, -111, 52, -43, -84, -41, 66, 66, 31} at 2010-06-28 15:05:53.69 to {tcp://{127, 0, 0, 1}:4010} Jun 28, 2010 3:05:53 PM org.apache.catalina.tribes.group.GroupChannel send FINER: GroupChannel - Sent msg:UniqueId{-2, -89, -62, -53, 103, -39, 67, -1, -111, 52, -43, -84, -41, 66, 66, 31} at 2010-06-28 15:05:53.69 to {tcp://{127, 0, 0, 1}:4010} Jun 28, 2010 3:05:53 PM org.apache.catalina.tribes.group.GroupChannel send FINER: GroupChannel - Send Message:UniqueId{-2, -89, -62, -53, 103, -39, 67, -1, -111, 52, -43, -84, -41, 66, 66, 31} is SingleSignOnMessage[action=3, ssoId=1C052A3927DC43EE6CAF27997F85C23B, sessionId=null, username=null] Jun 28, 2010 3:05:53 PM org.apache.catalina.ha.authenticator.ClusterSingleSignOn deregister FINE: SingleSignOnMessage Send with action 3 Jun 28, 2010 3:05:53 PM org.apache.catalina.authenticator.SingleSignOn deregister FINE: Deregistering sso id '1C052A3927DC43EE6CAF27997F85C23B' Jun 28, 2010 3:05:53 PM org.apache.catalina.authenticator.SingleSignOn deregister FINER: Invalidating session DeltaSession[EBEEECC91096DF7020488C1BDD75DF41.jvm2] Jun 28, 2010 3:05:53 PM org.apache.catalina.connector.MapperListener handleNotification FINE: Handle Catalina:type=Manager,path=/cluster,host=webclust2 type : JMX.mbean.unregistered Jun 28, 2010 3:05:53 PM org.apache.catalina.connector.MapperListener handleNotification FINE: Handle Catalina:type=Manager,path=/cluster,host=webclust2 type : JMX.mbean.unregistered Jun 28, 2010 3:05:53 PM org.apache.catalina.core.StandardContext listenerStop FINE: Sending application stop events == singlesignonmessage.java public class SingleSignOnMessage implements ClusterMessage, Serializable { public static final int ADD_SESSION = 1; public static final int DEREGISTER_SESSION = 2; public static final int LOGOUT_SESSION = 3; -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Monday, June 28, 2010 1:09 PM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 28/06/2010 19:58, Okubo, Yasushi (TSD) wrote: Hi Pid I got more detailed log and it looks like clustersinglesignon is deregistering sso session on other nodes. 0. session destroyed C0641336BF4E6B4654927AA3337EAB9F.jvm1 by shutdown [on node1] 1. clustersinglesignon is calling singlesignon to invalidate session [ssoId=7BA0AB7AE2BFDB08CE2EBE8F42D3E89C] for node1 2, but it looks like this message came back to the node1 (through group channel/mulitcast?) 3. then clustersinglesignon is deregistering this session again for ssoId=7BA0AB7AE2BFDB08CE2EBE8F42D3E89C. deregister method propagates this message to other nodes to deregister ssoId=7BA0AB7AE2BFDB08CE2EBE8F42D3E89C from all members in the same cluster. Is there any way to break this chain of actions to stop clustersinglesigon invoking deregister method? Do you have ClusterManager.expireSessionsOnShutdown set to false? p Jun 28, 2010 10:27:40 AM org.apache.catalina.ha.session.DeltaManager stop FINE: Manager [/cluster] is stopping Jun 28, 2010 10:27:40 AM org.apache.catalina.ha.session.DeltaManager stop INFO: Manager [/cluster] expiring sessions upon shutdown FINE: Process session destroyed on DeltaSession[C0641336BF4E6B4654927AA3337EAB9F.jvm1] Jun 28, 2010 10:27:40 AM
RE: question for sso session replication in tomcat 6.0.26
Hi Pid I started getting the following error upon login to one node onto cluster. Could you tell me what this mean is? Yasushi Jun 24, 2010 10:51:58 AM org.apache.catalina.ha.tcp.ReplicationValve sendReplicationMessage SEVERE: Unable to perform replication request. java.lang.NullPointerException at org.apache.catalina.ha.tcp.ReplicationValve.isRequestWithoutSessionChang e(ReplicationValve.java:590) at org.apache.catalina.ha.tcp.ReplicationValve.sendSessionReplicationMessag e(ReplicationValve.java:516) at org.apache.catalina.ha.tcp.ReplicationValve.sendReplicationMessage(Repli cationValve.java:430) at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java :363) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555 ) at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java: 421) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2 98) at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:427) at org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpApr Protocol.java:384) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1555) at java.lang.Thread.run(Thread.java:619) -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, June 23, 2010 1:06 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 I'll have to look at the code, but maybe you're being affected by a recent bug whereby the session id changes after login but isn't then replicated. You might search bugzilla to see if this applies to 6.0.26. p On 22 Jun 2010, at 22:41, Okubo, Yasushi (TSD) yasushi.ok...@takedasd.com wrote: Hi There were two cookies created by Tomcat 6.0.26. One is for SSO, and the other is for regular session between client and tomcat. JSESSIONID is working fine : it means session replication and failover, but not JSESSIONIDSSO. JSESSIONIDSSO is updated with new value upon relogin. yasushi JSESSIONIDSSO 65110434847FE0AA1F1EBF0EF0871D25 JSESSIONID 5CFE92814875C4DEFC554526147698A3.jvm2 -Original Message- From: Jon Brisbin [mailto:jon.bris...@npcinternational.com] Sent: Tuesday, June 22, 2010 2:17 PM To: Tomcat Users List Cc: Okubo, Yasushi (TSD) Subject: Re: question for sso session replication in tomcat 6.0.26 Are you using a jvmRoute setting on your BalancerMember definition in mod_proxy config and on the Engine/ element in server.xml? Your cookie would have the jvmRoute property added to the end of it (e.g. ALONGMD5HASH.server1) if so. From the Almighty Google: http://community.jboss.org/wiki/usingmodproxywithjboss Jon Brisbin Portal Webmaster NPC International, Inc. On Jun 22, 2010, at 3:48 PM, Okubo, Yasushi (TSD) wrote: Hi I downloaded apache apache v2.2.15 and compiled and installed, but the result was the same. Session sso replication looked like failed. Upon shutting down the node, it kicked me out of password protected area and needed to re-loin on the second node. On apache, I installed/enabled all modules including basic authentication etc. Is there any requirement on apache side or how the virtual host should be set up in httpd.conf to make sso failover work? Thanks, yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:04 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect there are many bugfixes and improvements since then, you should upgrade HTTPD. p OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager
RE: question for sso session replication in tomcat 6.0.26
My bad. I added *.jsp to the filter since it contains the path to index page as follows. Now, I am wondering when sso session id is created and replicated, is it when index.jsp was accessed or login.jsp was accessed? == index.jsp == % response.sendRedirect(/test/index.html?homepage=dynprop=Home); % -Original Message- From: Okubo, Yasushi (TSD) Sent: Thursday, June 24, 2010 1:13 PM To: 'Tomcat Users List' Subject: RE: question for sso session replication in tomcat 6.0.26 Hi Pid I started getting the following error upon login to one node onto cluster. Could you tell me what this mean is? Yasushi Jun 24, 2010 10:51:58 AM org.apache.catalina.ha.tcp.ReplicationValve sendReplicationMessage SEVERE: Unable to perform replication request. java.lang.NullPointerException at org.apache.catalina.ha.tcp.ReplicationValve.isRequestWithoutSessionChang e(ReplicationValve.java:590) at org.apache.catalina.ha.tcp.ReplicationValve.sendSessionReplicationMessag e(ReplicationValve.java:516) at org.apache.catalina.ha.tcp.ReplicationValve.sendReplicationMessage(Repli cationValve.java:430) at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java :363) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555 ) at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java: 421) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2 98) at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:427) at org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpApr Protocol.java:384) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1555) at java.lang.Thread.run(Thread.java:619) -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, June 23, 2010 1:06 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 I'll have to look at the code, but maybe you're being affected by a recent bug whereby the session id changes after login but isn't then replicated. You might search bugzilla to see if this applies to 6.0.26. p On 22 Jun 2010, at 22:41, Okubo, Yasushi (TSD) yasushi.ok...@takedasd.com wrote: Hi There were two cookies created by Tomcat 6.0.26. One is for SSO, and the other is for regular session between client and tomcat. JSESSIONID is working fine : it means session replication and failover, but not JSESSIONIDSSO. JSESSIONIDSSO is updated with new value upon relogin. yasushi JSESSIONIDSSO 65110434847FE0AA1F1EBF0EF0871D25 JSESSIONID 5CFE92814875C4DEFC554526147698A3.jvm2 -Original Message- From: Jon Brisbin [mailto:jon.bris...@npcinternational.com] Sent: Tuesday, June 22, 2010 2:17 PM To: Tomcat Users List Cc: Okubo, Yasushi (TSD) Subject: Re: question for sso session replication in tomcat 6.0.26 Are you using a jvmRoute setting on your BalancerMember definition in mod_proxy config and on the Engine/ element in server.xml? Your cookie would have the jvmRoute property added to the end of it (e.g. ALONGMD5HASH.server1) if so. From the Almighty Google: http://community.jboss.org/wiki/usingmodproxywithjboss Jon Brisbin Portal Webmaster NPC International, Inc. On Jun 22, 2010, at 3:48 PM, Okubo, Yasushi (TSD) wrote: Hi I downloaded apache apache v2.2.15 and compiled and installed, but the result was the same. Session sso replication looked like failed. Upon shutting down the node, it kicked me out of password protected area and needed to re-loin on the second node. On apache, I installed/enabled all modules including basic authentication etc. Is there any requirement on apache side or how the virtual host should be set up in httpd.conf to make sso failover work? Thanks, yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:04 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared
RE: question for sso session replication in tomcat 6.0.26
Hi Pid My colleague found that a bunch of undocumented attributes for DeltaManager, and he started using them, then he told me that it looked like sso failover started working. So, I went to tomcat source code (v6.0.26) and checked the options he used. It turned out that sendAllSessionsWaitTime attribute needs to be set to -1. But this trick did not always work. sso failover still does not work in my test cases. Could you tell me the implications for this flag when we set to -1? It looks like DeltaManager will send replication messages all the time continuously. I am not sure if we want to set this flag on production since it still fails sso failover and may cause network issues. Have you found anything yet? yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, June 23, 2010 1:06 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 I'll have to look at the code, but maybe you're being affected by a recent bug whereby the session id changes after login but isn't then replicated. You might search bugzilla to see if this applies to 6.0.26. p On 22 Jun 2010, at 22:41, Okubo, Yasushi (TSD) yasushi.ok...@takedasd.com wrote: Hi There were two cookies created by Tomcat 6.0.26. One is for SSO, and the other is for regular session between client and tomcat. JSESSIONID is working fine : it means session replication and failover, but not JSESSIONIDSSO. JSESSIONIDSSO is updated with new value upon relogin. yasushi JSESSIONIDSSO 65110434847FE0AA1F1EBF0EF0871D25 JSESSIONID 5CFE92814875C4DEFC554526147698A3.jvm2 -Original Message- From: Jon Brisbin [mailto:jon.bris...@npcinternational.com] Sent: Tuesday, June 22, 2010 2:17 PM To: Tomcat Users List Cc: Okubo, Yasushi (TSD) Subject: Re: question for sso session replication in tomcat 6.0.26 Are you using a jvmRoute setting on your BalancerMember definition in mod_proxy config and on the Engine/ element in server.xml? Your cookie would have the jvmRoute property added to the end of it (e.g. ALONGMD5HASH.server1) if so. From the Almighty Google: http://community.jboss.org/wiki/usingmodproxywithjboss Jon Brisbin Portal Webmaster NPC International, Inc. On Jun 22, 2010, at 3:48 PM, Okubo, Yasushi (TSD) wrote: Hi I downloaded apache apache v2.2.15 and compiled and installed, but the result was the same. Session sso replication looked like failed. Upon shutting down the node, it kicked me out of password protected area and needed to re-loin on the second node. On apache, I installed/enabled all modules including basic authentication etc. Is there any requirement on apache side or how the virtual host should be set up in httpd.conf to make sso failover work? Thanks, yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:04 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect there are many bugfixes and improvements since then, you should upgrade HTTPD. p OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy balancer-manager ProxyPass /balancer-manager ! Location /examples ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/examples Order Deny,Allow Allow from all /Location Location / ProxyPass balancer://webclust/ stickysession
RE: question for sso session replication in tomcat 6.0.26
Thanks Pid It might be related to the fix for 45255. This is the only one I can see remotely related. According to this fix, (I might be wrong), but it looks like once the user is logged-out from the application or node upon regular logout or node shutdown or some other reasons, a user is asked to relogin by default to renew sso session id. Is there any way to stop this behavior to add a flag or some kind in server.xml? I tested with mod_jk [v1.2.30] and httpd [2.2.15], and the result is consistent with mod_proxy_ajp and mod_balancer. SingleSignOn session does not failover. I will try to test older Tomcat 6.0.1x today. Yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, June 23, 2010 1:06 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 I'll have to look at the code, but maybe you're being affected by a recent bug whereby the session id changes after login but isn't then replicated. You might search bugzilla to see if this applies to 6.0.26. p On 22 Jun 2010, at 22:41, Okubo, Yasushi (TSD) yasushi.ok...@takedasd.com wrote: Hi There were two cookies created by Tomcat 6.0.26. One is for SSO, and the other is for regular session between client and tomcat. JSESSIONID is working fine : it means session replication and failover, but not JSESSIONIDSSO. JSESSIONIDSSO is updated with new value upon relogin. yasushi JSESSIONIDSSO 65110434847FE0AA1F1EBF0EF0871D25 JSESSIONID 5CFE92814875C4DEFC554526147698A3.jvm2 -Original Message- From: Jon Brisbin [mailto:jon.bris...@npcinternational.com] Sent: Tuesday, June 22, 2010 2:17 PM To: Tomcat Users List Cc: Okubo, Yasushi (TSD) Subject: Re: question for sso session replication in tomcat 6.0.26 Are you using a jvmRoute setting on your BalancerMember definition in mod_proxy config and on the Engine/ element in server.xml? Your cookie would have the jvmRoute property added to the end of it (e.g. ALONGMD5HASH.server1) if so. From the Almighty Google: http://community.jboss.org/wiki/usingmodproxywithjboss Jon Brisbin Portal Webmaster NPC International, Inc. On Jun 22, 2010, at 3:48 PM, Okubo, Yasushi (TSD) wrote: Hi I downloaded apache apache v2.2.15 and compiled and installed, but the result was the same. Session sso replication looked like failed. Upon shutting down the node, it kicked me out of password protected area and needed to re-loin on the second node. On apache, I installed/enabled all modules including basic authentication etc. Is there any requirement on apache side or how the virtual host should be set up in httpd.conf to make sso failover work? Thanks, yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:04 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect there are many bugfixes and improvements since then, you should upgrade HTTPD. p OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy balancer-manager ProxyPass /balancer-manager ! Location /examples ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/examples Order Deny,Allow Allow from all /Location Location / ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/ Order Deny,Allow Allow from all
RE: question for sso session replication in tomcat 6.0.26
Hi Pid I tested tomcat with three different versions [6.0.18, 6.0.20, 6.0.24] and the all results were consistent. SingleSignOn session did not failover. I hope someone can help me about this. yasushi -Original Message- From: Okubo, Yasushi (TSD) Sent: Wednesday, June 23, 2010 9:20 AM To: 'Tomcat Users List' Subject: RE: question for sso session replication in tomcat 6.0.26 Thanks Pid It might be related to the fix for 45255. This is the only one I can see remotely related. According to this fix, (I might be wrong), but it looks like once the user is logged-out from the application or node upon regular logout or node shutdown or some other reasons, a user is asked to relogin by default to renew sso session id. Is there any way to stop this behavior to add a flag or some kind in server.xml? I tested with mod_jk [v1.2.30] and httpd [2.2.15], and the result is consistent with mod_proxy_ajp and mod_balancer. SingleSignOn session does not failover. I will try to test older Tomcat 6.0.1x today. Yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, June 23, 2010 1:06 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 I'll have to look at the code, but maybe you're being affected by a recent bug whereby the session id changes after login but isn't then replicated. You might search bugzilla to see if this applies to 6.0.26. p On 22 Jun 2010, at 22:41, Okubo, Yasushi (TSD) yasushi.ok...@takedasd.com wrote: Hi There were two cookies created by Tomcat 6.0.26. One is for SSO, and the other is for regular session between client and tomcat. JSESSIONID is working fine : it means session replication and failover, but not JSESSIONIDSSO. JSESSIONIDSSO is updated with new value upon relogin. yasushi JSESSIONIDSSO 65110434847FE0AA1F1EBF0EF0871D25 JSESSIONID 5CFE92814875C4DEFC554526147698A3.jvm2 -Original Message- From: Jon Brisbin [mailto:jon.bris...@npcinternational.com] Sent: Tuesday, June 22, 2010 2:17 PM To: Tomcat Users List Cc: Okubo, Yasushi (TSD) Subject: Re: question for sso session replication in tomcat 6.0.26 Are you using a jvmRoute setting on your BalancerMember definition in mod_proxy config and on the Engine/ element in server.xml? Your cookie would have the jvmRoute property added to the end of it (e.g. ALONGMD5HASH.server1) if so. From the Almighty Google: http://community.jboss.org/wiki/usingmodproxywithjboss Jon Brisbin Portal Webmaster NPC International, Inc. On Jun 22, 2010, at 3:48 PM, Okubo, Yasushi (TSD) wrote: Hi I downloaded apache apache v2.2.15 and compiled and installed, but the result was the same. Session sso replication looked like failed. Upon shutting down the node, it kicked me out of password protected area and needed to re-loin on the second node. On apache, I installed/enabled all modules including basic authentication etc. Is there any requirement on apache side or how the virtual host should be set up in httpd.conf to make sso failover work? Thanks, yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:04 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect there are many bugfixes and improvements since then, you should upgrade HTTPD. p OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy
RE: question for sso session replication in tomcat 6.0.26
in tomcat 6.0.26 Oh sorry, I re-read your answer. Not sure why SSO is not working, be interested to find out though.. AB On Tue, Jun 22, 2010 at 3:04 PM, Andrew Bruno andrew.br...@gmail.com wrote: Hi Yasushi In your serverl.xml have you added the jvmroute to the Engine? i.e. Engine name=Catalina defaultHost=localhost jvmRoute=1 Andrew On Tue, Jun 22, 2010 at 2:50 PM, Okubo, Yasushi (TSD) yasushi.ok...@takedasd.com wrote: Hi Andrew Thank for your post. When I checked the session id from firefox, sso session id [jsessionidsso] does not have jvmroute info, but only jsessionid has jvmroute. So, session replication upon failover is working fine, but singlesionon upon failover is not working on tomcat 6.0.x (including 6.0.26). yasushi -Original Message- From: Andrew Bruno [mailto:andrew.br...@gmail.com] Sent: Monday, June 21, 2010 9:18 PM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 Looking at the code I think this is wrong if (!_ssoSessionId.contains(. + jvmRoute)) { _ssoSessionId += . + jvmRoute; response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId)); } The original sessionId will already have the .+_any_other_jvmRoute included, so you need to substring it, and append the new jvmRoute. _ssoSessionId= _ssoSessionId.substring(0, _ssoSessionId.indexOf(.)) and then add _ssoSessionId += . + jvmRoute; AB On Tue, Jun 22, 2010 at 1:03 PM, Okubo, Yasushi (TSD) yasushi.ok...@takedasd.com wrote: Hi experts I found this old email from archive in TC 5.5.23. Does this problem still exist in tomcat 6.0.x or 6.0.26? When failover occurs, sso session id is updated with new number after forcing a user to relogin to the application since sso session id is not replicated and rewritten correctly. Could someone explain what is expected in current tomcat 6.0.x cluster upon failover? Should sso session id is replicated correctly in tomcat 6.0.x? Thanks, yasushi ROOKIE wrote: Hi, I have a problem with tomcat cluster + mod_proxy load balancer : We have a main app which authenticate itself to a webapp and from this app one can launch embedded apps which use the SSO cookie to access other webapps on the server (Single-Sign-On for the user). Things are working perfectly for the normal cookie but not for the sso cookie. The problem I have is that tomcat does not replicate SSO sessions so when these embedded apps route through the load balancer we get 401s on all the other cluster members except the one which actually generated the SSO cookie. I wanted to know if we can edit the SSO cookie generated by tomcat to also contain the jvmRoute parameter so that the load balancer directly goes to the correct cluster member. I tried doing this in my code by fetching the SSO cookie and appending to it the jvmRoute as follows : HttpServletRequest request = (HttpServletRequest)Security.getContext(HttpServletRequest.class); HttpServletResponse response = (HttpServletResponse)Security.getContext(HttpServletResponse.class); if(request != null) { String jvmRoute = Vinod_Cluster_1; // as mentioned in server.xml Cookie[] cookies = request.getCookies(); for(int nc=0; cookies != null nc cookies.length; nc++) { if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { _sessionId = cookies[nc].getValue(); } else if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { _ssoSessionId = cookies[nc].getValue(); if (!_ssoSessionId.contains(. + jvmRoute)) { _ssoSessionId += . + jvmRoute; response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId)); } } But after this I started getting 401s from even the correct cluster member. My guess is addCookie doesnt update the cookie in tomcat's cache which is reasonable. Other thought was to edit tomcat's sso cookie generation code to append the jvmRoute to the sso cookie. Is there an better way to achieve this in my code base ? Thanks In Advance, Vinod - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h
RE: question for sso session replication in tomcat 6.0.26
Sorry I should clarify few things: In case of no failover, SSO works for all web applications on the same node, not host. Then, session replication upon failover works for non-password protected area only. -Original Message- From: Okubo, Yasushi (TSD) [mailto:yasushi.ok...@takedasd.com] Sent: Tuesday, June 22, 2010 7:57 AM To: Tomcat Users List Subject: RE: question for sso session replication in tomcat 6.0.26 Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy balancer-manager ProxyPass /balancer-manager ! Location /examples ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/examples Order Deny,Allow Allow from all /Location Location / ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/ Order Deny,Allow Allow from all /Location === server.xml === !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=9002 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost jvmRoute=jvm1 Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager name=node2 expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.5 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=4020 autoBind=100 selectorTimeout=5000 maxThreads=12/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender/ /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetector/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;.*\.xls;.*\.sdf;.*\.xml;/ !-- only with jk_mod failover-- Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve enabled=true sessionIdAttribute=takeoverSessionid / !-- Deployer className=org.apache.catalina.ha.deploy.FarmWarDeployer tempDir=/tmp/war-temp/ deployDir=/usr/local/apache/node2-tomcat-6.0.26/webapps watchDir=/tmp/war-listen/ watchEnabled=true/ -- !-- only with jk_mod and jvmroutebindervalve-- ClusterListener className=org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener/ ClusterListener className=org.apache.catalina.ha.session.ClusterSessionListener/ /Cluster Valve className
RE: question for sso session replication in tomcat 6.0.26
Ok I will try to install the latest apache httpd and test again. Thanks, yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:04 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect there are many bugfixes and improvements since then, you should upgrade HTTPD. p OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy balancer-manager ProxyPass /balancer-manager ! Location /examples ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/examples Order Deny,Allow Allow from all /Location Location / ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/ Order Deny,Allow Allow from all /Location === server.xml === !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=9002 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost jvmRoute=jvm1 Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager name=node2 expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.5 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=4020 autoBind=100 selectorTimeout=5000 maxThreads=12/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender / /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetec tor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch 15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInter ceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt; .*\.xls;.*\.sdf;.*\.xml;/ !-- only with jk_mod failover-- Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve enabled=true sessionIdAttribute=takeoverSessionid / !-- Deployer className=org.apache.catalina.ha.deploy.FarmWarDeployer tempDir=/tmp/war-temp/ deployDir=/usr/local/apache/node2-tomcat-6.0.26/webapps watchDir=/tmp/war-listen/ watchEnabled=true/ -- !-- only with jk_mod and jvmroutebindervalve-- ClusterListener className=org.apache.catalina.ha.session.JvmRouteSessionIDBinderListene r
RE: question for sso session replication in tomcat 6.0.26
Hi I downloaded apache apache v2.2.15 and compiled and installed, but the result was the same. Session sso replication looked like failed. Upon shutting down the node, it kicked me out of password protected area and needed to re-loin on the second node. On apache, I installed/enabled all modules including basic authentication etc. Is there any requirement on apache side or how the virtual host should be set up in httpd.conf to make sso failover work? Thanks, yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:04 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect there are many bugfixes and improvements since then, you should upgrade HTTPD. p OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy balancer-manager ProxyPass /balancer-manager ! Location /examples ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/examples Order Deny,Allow Allow from all /Location Location / ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/ Order Deny,Allow Allow from all /Location === server.xml === !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=9002 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost jvmRoute=jvm1 Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager name=node2 expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.5 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=4020 autoBind=100 selectorTimeout=5000 maxThreads=12/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender / /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetec tor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch 15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInter ceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt; .*\.xls;.*\.sdf;.*\.xml;/ !-- only with jk_mod failover-- Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve enabled=true sessionIdAttribute=takeoverSessionid / !-- Deployer className=org.apache.catalina.ha.deploy.FarmWarDeployer
RE: question for sso session replication in tomcat 6.0.26
Hi There were two cookies created by Tomcat 6.0.26. One is for SSO, and the other is for regular session between client and tomcat. JSESSIONID is working fine : it means session replication and failover, but not JSESSIONIDSSO. JSESSIONIDSSO is updated with new value upon relogin. yasushi JSESSIONIDSSO 65110434847FE0AA1F1EBF0EF0871D25 JSESSIONID 5CFE92814875C4DEFC554526147698A3.jvm2 -Original Message- From: Jon Brisbin [mailto:jon.bris...@npcinternational.com] Sent: Tuesday, June 22, 2010 2:17 PM To: Tomcat Users List Cc: Okubo, Yasushi (TSD) Subject: Re: question for sso session replication in tomcat 6.0.26 Are you using a jvmRoute setting on your BalancerMember definition in mod_proxy config and on the Engine/ element in server.xml? Your cookie would have the jvmRoute property added to the end of it (e.g. ALONGMD5HASH.server1) if so. From the Almighty Google: http://community.jboss.org/wiki/usingmodproxywithjboss Jon Brisbin Portal Webmaster NPC International, Inc. On Jun 22, 2010, at 3:48 PM, Okubo, Yasushi (TSD) wrote: Hi I downloaded apache apache v2.2.15 and compiled and installed, but the result was the same. Session sso replication looked like failed. Upon shutting down the node, it kicked me out of password protected area and needed to re-loin on the second node. On apache, I installed/enabled all modules including basic authentication etc. Is there any requirement on apache side or how the virtual host should be set up in httpd.conf to make sso failover work? Thanks, yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:04 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect there are many bugfixes and improvements since then, you should upgrade HTTPD. p OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy balancer-manager ProxyPass /balancer-manager ! Location /examples ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/examples Order Deny,Allow Allow from all /Location Location / ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/ Order Deny,Allow Allow from all /Location === server.xml === !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=9002 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost jvmRoute=jvm1 Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager name=node2 expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.5 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=4020 autoBind=100
question for sso session replication in tomcat 6.0.26
Hi experts I found this old email from archive in TC 5.5.23. Does this problem still exist in tomcat 6.0.x or 6.0.26? When failover occurs, sso session id is updated with new number after forcing a user to relogin to the application since sso session id is not replicated and rewritten correctly. Could someone explain what is expected in current tomcat 6.0.x cluster upon failover? Should sso session id is replicated correctly in tomcat 6.0.x? Thanks, yasushi ROOKIE wrote: Hi, I have a problem with tomcat cluster + mod_proxy load balancer : We have a main app which authenticate itself to a webapp and from this app one can launch embedded apps which use the SSO cookie to access other webapps on the server (Single-Sign-On for the user). Things are working perfectly for the normal cookie but not for the sso cookie. The problem I have is that tomcat does not replicate SSO sessions so when these embedded apps route through the load balancer we get 401s on all the other cluster members except the one which actually generated the SSO cookie. I wanted to know if we can edit the SSO cookie generated by tomcat to also contain the jvmRoute parameter so that the load balancer directly goes to the correct cluster member. I tried doing this in my code by fetching the SSO cookie and appending to it the jvmRoute as follows : HttpServletRequest request = (HttpServletRequest)Security.getContext(HttpServletRequest.class); HttpServletResponse response = (HttpServletResponse)Security.getContext(HttpServletResponse.class); if(request != null) { String jvmRoute = Vinod_Cluster_1;// as mentioned in server.xml Cookie[] cookies = request.getCookies(); for(int nc=0; cookies != null nc cookies.length; nc++) { if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { _sessionId = cookies[nc].getValue(); } else if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { _ssoSessionId = cookies[nc].getValue(); if (!_ssoSessionId.contains(. + jvmRoute)) { _ssoSessionId += . + jvmRoute; response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId)); } } But after this I started getting 401s from even the correct cluster member. My guess is addCookie doesnt update the cookie in tomcat's cache which is reasonable. Other thought was to edit tomcat's sso cookie generation code to append the jvmRoute to the sso cookie. Is there an better way to achieve this in my code base ? Thanks In Advance, Vinod
RE: question for sso session replication in tomcat 6.0.26
Hi Andrew Thank for your post. When I checked the session id from firefox, sso session id [jsessionidsso] does not have jvmroute info, but only jsessionid has jvmroute. So, session replication upon failover is working fine, but singlesionon upon failover is not working on tomcat 6.0.x (including 6.0.26). yasushi -Original Message- From: Andrew Bruno [mailto:andrew.br...@gmail.com] Sent: Monday, June 21, 2010 9:18 PM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 Looking at the code I think this is wrong if (!_ssoSessionId.contains(. + jvmRoute)) { _ssoSessionId += . + jvmRoute; response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId)); } The original sessionId will already have the .+_any_other_jvmRoute included, so you need to substring it, and append the new jvmRoute. _ssoSessionId= _ssoSessionId.substring(0, _ssoSessionId.indexOf(.)) and then add _ssoSessionId += . + jvmRoute; AB On Tue, Jun 22, 2010 at 1:03 PM, Okubo, Yasushi (TSD) yasushi.ok...@takedasd.com wrote: Hi experts I found this old email from archive in TC 5.5.23. Does this problem still exist in tomcat 6.0.x or 6.0.26? When failover occurs, sso session id is updated with new number after forcing a user to relogin to the application since sso session id is not replicated and rewritten correctly. Could someone explain what is expected in current tomcat 6.0.x cluster upon failover? Should sso session id is replicated correctly in tomcat 6.0.x? Thanks, yasushi ROOKIE wrote: Hi, I have a problem with tomcat cluster + mod_proxy load balancer : We have a main app which authenticate itself to a webapp and from this app one can launch embedded apps which use the SSO cookie to access other webapps on the server (Single-Sign-On for the user). Things are working perfectly for the normal cookie but not for the sso cookie. The problem I have is that tomcat does not replicate SSO sessions so when these embedded apps route through the load balancer we get 401s on all the other cluster members except the one which actually generated the SSO cookie. I wanted to know if we can edit the SSO cookie generated by tomcat to also contain the jvmRoute parameter so that the load balancer directly goes to the correct cluster member. I tried doing this in my code by fetching the SSO cookie and appending to it the jvmRoute as follows : HttpServletRequest request = (HttpServletRequest)Security.getContext(HttpServletRequest.class); HttpServletResponse response = (HttpServletResponse)Security.getContext(HttpServletResponse.class); if(request != null) { String jvmRoute = Vinod_Cluster_1; // as mentioned in server.xml Cookie[] cookies = request.getCookies(); for(int nc=0; cookies != null nc cookies.length; nc++) { if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { _sessionId = cookies[nc].getValue(); } else if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { _ssoSessionId = cookies[nc].getValue(); if (!_ssoSessionId.contains(. + jvmRoute)) { _ssoSessionId += . + jvmRoute; response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId)); } } But after this I started getting 401s from even the correct cluster member. My guess is addCookie doesnt update the cookie in tomcat's cache which is reasonable. Other thought was to edit tomcat's sso cookie generation code to append the jvmRoute to the sso cookie. Is there an better way to achieve this in my code base ? Thanks In Advance, Vinod - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: question for singlesignon for vertical cluster
To experts Could someone clarify if singlesignon or clustersinglesignon on tomcat cluster upon failover ever worked before? Tomcat 6.0.26 [64bit jdk1.6.0_20] on linux box mod_proxy_ajp in httpd-2.2.3-43.el5. I may upgrade it to the latest if singlesignon works upon failover. Otherwise, I may need to look for another solution. I have set up deltamanager as follows. But I do not see any notification upon session replication in catalina.out, but only saw log upon startup. I made web.xml in /examples distributable and tested session replication, and it looks worked upon failover, but do not see any log upon session replication. /examples/servlets/servlet/SessionExample I also changed conf/context.xml to make context attributes distributable: Context className=org.apache.catalina.ha.context.ReplicatedContext/ So, is anyone able to configure singlesignon or clustersinglesignon under tomcat cluster and make it work upon failover? I hope this is only my configuration issue, but it looks like tomcat cluster always asks a user to re-login upon failover no matter how it is configured with its own singlesignon feature. Thanks, Manager className=org.apache.catalina.ha.session.DeltaManager expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Jun 2, 2010 3:16:32 PM org.apache.catalina.ha.session.DeltaManager getAllClusterSessions WARNING: Manager [], requesting session state from org.apache.catalina.tribes.membership.MemberImpl[tcp://{127, 0, 0, 1}:4030,{127, 0, 0, 1},4030, alive=30163,id={76 67 -77 -124 -107 -117 74 90 -99 125 -34 19 64 98 -106 116 }, payload={}, command={}, domain={}, ]. This operation will timeout if no session state has been received within 60 seconds. Jun 2, 2010 3:16:32 PM org.apache.catalina.ha.session.DeltaManager waitForSendAllSessions INFO: Manager []; session state send at 6/2/10 3:16 PM received in 103 ms. Jun 2, 2010 3:16:32 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory examples Jun 2, 2010 3:16:32 PM org.apache.catalina.ha.session.DeltaManager start INFO: Register manager /examples to cluster element Host with name localhost Jun 2, 2010 3:16:32 PM org.apache.catalina.ha.session.DeltaManager start INFO: Starting clustering manager at /examples Jun 2, 2010 3:16:32 PM org.apache.catalina.ha.session.DeltaManager getAllClusterSessions WARNING: Manager [/examples], requesting session state from org.apache.catalina.tribes.membership.MemberImpl[tcp://{127, 0, 0, 1}:4030,{127, 0, 0, 1},4030, alive=30163,id={76 67 -77 -124 -107 -117 74 90 -99 125 -34 19 64 98 -106 116 }, payload={}, command={}, domain={}, ]. This operation will timeout if no session state has been received within 60 seconds. Jun 2, 2010 3:16:32 PM org.apache.catalina.ha.session.DeltaManager waitForSendAllSessions -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, May 26, 2010 3:20 AM To: Tomcat Users List Subject: Re: question for singlesignon for vertical cluster On 24/05/2010 00:36, Okubo, Yasushi (TSD) wrote: Hi I would like to enable singlesignon on vertical cluster environment [multi-nodes on multiple hosts]. We are using clustersinglesignon under host element, and this works in horizontal cluster, but does not work in vertical cluster environment. How are you configuring the cluster in each case? What have you tried? p Is there any way to make this work as part of tomcat configuration? When the node goes down, and a user may be routed to the node located in a different host, it will ask a user to relogin again under the current setup. We would like to avoid a user for relogging to the application. Anyway, if tomcat does not provide singlesigeon solution for vertical cluster, is there any other open source solutions available? Thanks, yasushi OS: linux/redhat 5 - 64 bit Jvm : 1.6.x Tocmat : 6.0.24/26 Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Valve className=org.apache.catalina.ha.authenticator.ClusterSingleSignOn / - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: question for singlesignon for vertical cluster
I think that I miss-stated what horizontal/vertical cluster are. Anyway, I could configure mod_proxy_ajp/mod_proxy_balancer [Apache 2.2.3 from RHEL 5 (64bit] now. Then, it looks like a user is required re-login to access password protected area after fail-over to another node in tomcat [v6.0.26 - jdk1.6.0.20 on linux] cluster both vertical/horizontal. So, we need an external module to control SSO, right? Is there any good open source to do this fail-over avoiding user's re-login integrating with Tomcat? Thanks Martin for some comments regarding SSO info. yasushi -Original Message- From: Okubo, Yasushi (TSD) Sent: Wednesday, May 26, 2010 8:20 AM To: 'Tomcat Users List'; 'p...@pidster.com' Subject: RE: question for singlesignon for vertical cluster I am adding the following cluster element to engine for vertical cluster and to host for horizontal cluster for development. I started configuring mod_proxy_ajp and have some problem to configure, so I may post another question later. Anyway, for vertical cluster, we have setup DNS round robbing for load balancing. When we shutdown one node, a user is routed to anther node, but tomcat asks a user to re-login. For horizontal cluster, at least tomcat does not ask re-login to access a different node running on the same host, but I would like to setup load balancing. yasushi Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.4 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=4000 autoBind=100 selectorTimeout=5000 maxThreads=12/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender / /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetec tor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch 15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInter ceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt; .*\.xls;.*\.sdf;.*\.xml;/ !-- only with jk_mod failover-- Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve enabled=true sessionIdAttribute=takeoverSessionid / !-- currently very unstable for remote deployment Deployer className=org.apache.catalina.ha.deploy.FarmWarDeployer tempDir=/tmp/war-temp/ deployDir=/tmp/war-deploy/ watchDir=/tmp/war-listen/ -- !-- only with jk_mod and jvmroutebindervalve-- ClusterListener className=org.apache.catalina.ha.session.JvmRouteSessionIDBinderListene r/ ClusterListener className=org.apache.catalina.ha.session.ClusterSessionListener/ /Cluster -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, May 26, 2010 3:20 AM To: Tomcat Users List Subject: Re: question for singlesignon for vertical cluster On 24/05/2010 00:36, Okubo, Yasushi (TSD) wrote: Hi I would like to enable singlesignon on vertical cluster environment [multi-nodes on multiple hosts]. We are using clustersinglesignon under host element, and this works in horizontal cluster, but does not work in vertical cluster environment. How are you configuring the cluster in each case? What have you tried? p Is there any way to make this work as part of tomcat configuration? When the node goes down, and a user may be routed to the node located in a different host, it will ask a user to relogin again under the current setup. We would like to avoid a user for relogging to the application. Anyway, if tomcat does not provide singlesigeon solution for vertical cluster, is there any other open source solutions available? Thanks, yasushi OS: linux/redhat 5 - 64 bit Jvm : 1.6.x Tocmat : 6.0.24/26 Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Valve className
RE: question for singlesignon for vertical cluster
I think I am looking for this type of behavior in tomcat clustersinglesignon that can be found in jboss. Is this type of feature available in tomcat 6.0.26? Thanks, yasushi Clustered SSO Beginning with the JBoss-3.2.4 release, JBoss AS supports single sign-on to web applications across a cluster, using JBoss Cache for SSO credential caching and replication. This feature uses the org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn valve, which extends the functionality of the standard Tomcat SSO valve to allow the SSO to span multiple nodes in a cluster. * Enables SSO failover * Allows a load balancer to direct requests for different webapps to different servers, while maintaining the SSO. -Original Message- From: Okubo, Yasushi (TSD) Sent: Thursday, May 27, 2010 3:33 PM To: 'Tomcat Users List'; 'p...@pidster.com' Subject: RE: question for singlesignon for vertical cluster I think that I miss-stated what horizontal/vertical cluster are. Anyway, I could configure mod_proxy_ajp/mod_proxy_balancer [Apache 2.2.3 from RHEL 5 (64bit] now. Then, it looks like a user is required re-login to access password protected area after fail-over to another node in tomcat [v6.0.26 - jdk1.6.0.20 on linux] cluster both vertical/horizontal. So, we need an external module to control SSO, right? Is there any good open source to do this fail-over avoiding user's re-login integrating with Tomcat? Thanks Martin for some comments regarding SSO info. yasushi -Original Message- From: Okubo, Yasushi (TSD) Sent: Wednesday, May 26, 2010 8:20 AM To: 'Tomcat Users List'; 'p...@pidster.com' Subject: RE: question for singlesignon for vertical cluster I am adding the following cluster element to engine for vertical cluster and to host for horizontal cluster for development. I started configuring mod_proxy_ajp and have some problem to configure, so I may post another question later. Anyway, for vertical cluster, we have setup DNS round robbing for load balancing. When we shutdown one node, a user is routed to anther node, but tomcat asks a user to re-login. For horizontal cluster, at least tomcat does not ask re-login to access a different node running on the same host, but I would like to setup load balancing. yasushi Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.4 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=4000 autoBind=100 selectorTimeout=5000 maxThreads=12/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender / /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetec tor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch 15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInter ceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt; .*\.xls;.*\.sdf;.*\.xml;/ !-- only with jk_mod failover-- Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve enabled=true sessionIdAttribute=takeoverSessionid / !-- currently very unstable for remote deployment Deployer className=org.apache.catalina.ha.deploy.FarmWarDeployer tempDir=/tmp/war-temp/ deployDir=/tmp/war-deploy/ watchDir=/tmp/war-listen/ -- !-- only with jk_mod and jvmroutebindervalve-- ClusterListener className=org.apache.catalina.ha.session.JvmRouteSessionIDBinderListene r/ ClusterListener className=org.apache.catalina.ha.session.ClusterSessionListener/ /Cluster -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, May 26, 2010 3:20 AM To: Tomcat Users List Subject: Re: question for singlesignon for vertical cluster On 24/05/2010 00:36, Okubo, Yasushi (TSD) wrote: Hi I would like to enable singlesignon on vertical cluster environment [multi-nodes on multiple hosts
RE: question for singlesignon for vertical cluster
I am adding the following cluster element to engine for vertical cluster and to host for horizontal cluster for development. I started configuring mod_proxy_ajp and have some problem to configure, so I may post another question later. Anyway, for vertical cluster, we have setup DNS round robbing for load balancing. When we shutdown one node, a user is routed to anther node, but tomcat asks a user to re-login. For horizontal cluster, at least tomcat does not ask re-login to access a different node running on the same host, but I would like to setup load balancing. yasushi Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.4 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=4000 autoBind=100 selectorTimeout=5000 maxThreads=12/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender / /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetec tor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch 15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInter ceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt; .*\.xls;.*\.sdf;.*\.xml;/ !-- only with jk_mod failover-- Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve enabled=true sessionIdAttribute=takeoverSessionid / !-- currently very unstable for remote deployment Deployer className=org.apache.catalina.ha.deploy.FarmWarDeployer tempDir=/tmp/war-temp/ deployDir=/tmp/war-deploy/ watchDir=/tmp/war-listen/ -- !-- only with jk_mod and jvmroutebindervalve-- ClusterListener className=org.apache.catalina.ha.session.JvmRouteSessionIDBinderListene r/ ClusterListener className=org.apache.catalina.ha.session.ClusterSessionListener/ /Cluster -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, May 26, 2010 3:20 AM To: Tomcat Users List Subject: Re: question for singlesignon for vertical cluster On 24/05/2010 00:36, Okubo, Yasushi (TSD) wrote: Hi I would like to enable singlesignon on vertical cluster environment [multi-nodes on multiple hosts]. We are using clustersinglesignon under host element, and this works in horizontal cluster, but does not work in vertical cluster environment. How are you configuring the cluster in each case? What have you tried? p Is there any way to make this work as part of tomcat configuration? When the node goes down, and a user may be routed to the node located in a different host, it will ask a user to relogin again under the current setup. We would like to avoid a user for relogging to the application. Anyway, if tomcat does not provide singlesigeon solution for vertical cluster, is there any other open source solutions available? Thanks, yasushi OS: linux/redhat 5 - 64 bit Jvm : 1.6.x Tocmat : 6.0.24/26 Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Valve className=org.apache.catalina.ha.authenticator.ClusterSingleSignOn / - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
question for singlesignon for vertical cluster
Hi I would like to enable singlesignon on vertical cluster environment [multi-nodes on multiple hosts]. We are using clustersinglesignon under host element, and this works in horizontal cluster, but does not work in vertical cluster environment. Is there any way to make this work as part of tomcat configuration? When the node goes down, and a user may be routed to the node located in a different host, it will ask a user to relogin again under the current setup. We would like to avoid a user for relogging to the application. Anyway, if tomcat does not provide singlesigeon solution for vertical cluster, is there any other open source solutions available? Thanks, yasushi OS: linux/redhat 5 - 64 bit Jvm : 1.6.x Tocmat : 6.0.24/26 Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Valve className=org.apache.catalina.ha.authenticator.ClusterSingleSignOn /
RE: question for deploystartup forROOT.war on tomcat cluster
Thanks for your reply, but I do not see any errors and also cannot find any configuration error. -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Saturday, January 23, 2010 1:44 PM To: Tomcat Users List Subject: Re: question for deploystartup forROOT.war on tomcat cluster 2010/1/23 Okubo, Yasushi (TSD) yasushi.ok...@takedasd.com: 1. What attributes are set on the Host element of your server.xml Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false !-- SingleSignOn valve, share authentication between web applications Documentation at: /docs/config/valve.html -- Valve className=org.apache.catalina.ha.authenticator.ClusterSingleSignOn / !-- Access log processes all example. Documentation at: /docs/config/valve.html -- Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=webclust1_access_log. suffix=.log pattern=common resolveHosts=false/ /Host http://tomcat.apache.org/tomcat-6.0-doc/config/host.html 2. Are there any Context elements inside Host in your server.xml? Remove them, if there are any. None. 3. When ROOT fails to deploy at startup, does Tomcat Manager at that host shows any webapplication mapped to the same path? (E.g. present, but not started). It is running by seeing from the manager, but it is not starting from the log and by accessing from URL(hostname:port/). OK - Listed applications for virtual host localhost /manager:running:1:manager /:running:0:/ /host-manager:running:0:host-manager ... ... HTTP Status 404 - / type Status report message / description The requested resource (/) is not available. 4. Any relevant messages in the log files? No Error generated, but After Stop-Start or Reload from manager generates the following message Jan 25, 2010 10:18:43 AM org.apache.catalina.core.StandardContext start INFO: Container org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/] has already been started Jan 25, 2010 10:18:45 AM org.apache.catalina.core.StandardContext start INFO: Container org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/] has already been started Jan 25, 2010 10:26:25 AM org.apache.catalina.core.StandardContext reload INFO: Reloading this Context has started Jan 25, 2010 10:26:25 AM org.apache.catalina.ha.session.DeltaManager stop INFO: Manager [localhost#] expiring sessions upon shutdown Jan 25, 2010 10:26:25 AM org.apache.catalina.ha.session.DeltaManager start INFO: Register manager localhost# to cluster element Engine with name Catalina Jan 25, 2010 10:26:25 AM org.apache.catalina.ha.session.DeltaManager start INFO: Starting clustering manager at localhost# Jan 25, 2010 10:26:25 AM org.apache.catalina.ha.session.DeltaManager getAllClusterSessions WARNING: Manager [localhost#], requesting session state from org.apache.catalina.tribes.membership.MemberImpl[tcp://{10, -6, -56, 33}:4000,{10, -6, -56, 33},4000, alive=436811673,id={-73 -106 -118 34 90 37 69 -120 -107 118 21 127 50 12 28 -85 }, payload={}, command={}, domain={}, ]. This operation will timeout if no session state has been received within 60 seconds. Jan 25, 2010 10:27:25 AM org.apache.catalina.ha.session.DeltaManager waitForSendAllSessions SEVERE: Manager [localhost#]: No session state send at 1/25/10 10:26 AM received, timing out after 60,081 ms. When I restart tomcat node [shutdown.sh/startup.sh], My ROOT.war needs to read database and to initialize servlets as specified in its web.xml, but it looks like it is not reading the data from database under cluster setup like other applications do. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: question for deploystartup forROOT.war on tomcat cluster
-Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Monday, January 25, 2010 11:16 AM To: Tomcat Users List Subject: Re: question for deploystartup forROOT.war on tomcat cluster 2010/1/25 Okubo, Yasushi (TSD) yasushi.ok...@takedasd.com: OK - Listed applications for virtual host localhost This: /manager:running:1:manager /:running:0:/ /host-manager:running:0:host-manager and this: HTTP Status 404 - / type Status report message / description The requested resource (/) is not available. means that the web application is deployed and running. When there is no ROOT application deployed, Tomcat will respond with an empty zero-length response (it looks like a blank page in a browser). It looks like a web application that does not have a welcome page. Please check that your ROOT.war was properly expanded into /webapps/ROOT folder, and that those files (especially WEB-INF/web.xml) are readable by the user that runs that Tomcat instance. Yes, it has. welcome-file-list welcome-fileindex.html/welcome-file /welcome-file-list -rw-rw-r-- 1 xxx yyy 114 Nov 25 14:05 webapps/ROOT/index.html -rw-rw-r-- 1 xxx yyy 15197 Nov 25 14:51 webapps/ROOT/WEB-INF/web.xml Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: question for deploystartup forROOT.war on tomcat cluster
Thanks for your reply. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Saturday, January 23, 2010 8:53 AM To: Tomcat Users List Subject: RE: question for deploystartup forROOT.war on tomcat cluster From: Okubo, Yasushi (TSD) [mailto:yasushi.ok...@takedasd.com] Subject: question for deploystartup forROOT.war on tomcat cluster 3. confirmed that [Catalina_home]/conf/ROOT.xml and webapps/ROOT and webapps/ROOT.war existed Two obvious problems: 1) The ROOT.xml file belongs in conf/Catalina/[host], not conf. Sorry for my typo. I missed to type Catalina/[host] in the path. So it should be [Catalina_home]/conf/Catalina/localhost/ROOT.xml as exact. 2) The existence of the webapps/ROOT directory will prevent the unpacking of the .war file. Why only /ROOT? My other applications all have been re-deployed properly, even if there existed webapps/[app] and its corresponding war file. My problem is only ROOT.war is having a problem to be re-deplpoyed. Is /ROOT treated differently? Your process is flawed. If you're going to do a manual redeployement rather than using the Tomcat manager or deployer, you will need to clean up the bits of the old version of the application yourself, including the expanded directory, anything for ROOT under the work directory, and possibly the old ROOT.xml file. Again, why only /ROOT needs this special treatment under tomcat cluster environment? I have been removing ROOT.xml and /ROOT before restarting tomcat node, and I would like to stop it if is possible. The exact same ROOT.war file can be redeployed under single tomcat instance after restarting tomcat, but it is not re-redeployed on the node under tomcat cluster - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
question for deploystartup forROOT.war on tomcat cluster
Hi I have my application packaged as ROOT.war file. I can auto-deploy this war file on single tomcat instance whenever I restart tomcat or put a new war file into webapps. However, if I put the same war file into tomcat cluster and restart tomcat, tomcat does not redeploy this war file. In tomcat cluster [6.0.20/Redhat 5(linux)] , I tested as follows: A. tomcat fresh startup [succeeded to run ROOT application] 1. shutdown tomcat 2. confirmed only webapps/ROOT.war existed and no [Catalina_home]/conf/ROOT.xml and no webapps/ROOT 3. start tomcat [node1 of cluster] 4. confirmed that ROOT.war was deployed B. restarting tomcat [failed to run ROOT application] 1. shutdown tomcat 3. confirmed that [Catalina_home]/conf/ROOT.xml and webapps/ROOT and webapps/ROOT.war existed 2. simply restarting tomcat by executing shartup.sh 3. other applications under webapps including host-manager etc deployed and running properly 4. confirmed that only ROOT.war was not deployed C. test autodeploly [succeeded to run ROOT application] 1. confirmed that tomcat is running 2. moved ROOT.war out of webapps 3. confirmed that tomcat removed [Catalina_home]/conf/ROOT.xml and webapps/ROOT 4. copied ROOT.war backed to webapps 5. confirmed that tomcat created [Catalina_home]/conf/ROOT.xml and webapps/ROOT and the application packaged in ROOT.war is running Is there any trick to make case B work? Thanks, - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
form authentication error on tomcat cluster
Hi I have configured tomcat cluster [v6.0.20] on linux box with mod_proxy/mod_proxy_ajp [tomcat 6/Redhat 5/stickysession also turned on for load balancer] on two different nodes. Each node is running one tomcat instance. I inserted cluster element under engine and turned on jvmroute by setting up mod_proxy/mod_proxy_ajp. I also tested with mod_jk, but both cases failed. Anyway, when I turned on form authentication, it always generates the error for the fist login attempt, but the second login attempt always succeeds. I am getting: HTTP Status 400 - Invalid direct reference to form login page When I switched from form to basic authentication, the first login attempt always succeeds. When I turned off mod_proxy/mod_proxy_ajp or mod_jk with very basic simple cluster configuration also has this problem if I tried to use two nodes [two physically different node by inserting cluster element under engine element on server.xml]. If I moved cluster element to under host element by setting up two tomcat instances on the same machine/node, the first login attempts succeeds with form authentication. Is there any way to make form authentication work for the fist login attempt with two different nodes? I am using clustersinglesignon. Even if I switch to singlesignon, the result is consistent. Any idea? Thanks, yasushi